P
US8656169B2ActiveUtilityPatentIndex 83

Method, system and device for negotiating security capability when terminal moves

Assignee: HE CHENGDONGPriority: Aug 31, 2007Filed: Dec 9, 2009Granted: Feb 18, 2014
Est. expiryAug 31, 2027(~1.2 yrs left)· nominal 20-yr term from priority
Inventors:HE CHENGDONG
H04L 9/0844H04L 63/20H04L 63/205H04L 9/088H04L 63/062H04L 2463/061H04L 69/24H04L 63/1441H04W 36/0038H04W 8/02H04L 63/0876H04L 63/0492H04W 12/0431H04W 12/041H04W 12/106H04W 12/122
83
PatentIndex Score
9
Cited by
29
References
20
Claims

Abstract

A method for negotiating a security capability when a terminal moves is provided. When a user equipment (UE) moves from a second/third generation (2G/3G) network to a long term evolution (LTE) network, the method includes the following steps. A mobility management entity (MME) acquires a non-access signaling (NAS) security algorithm supported by the UE, and an authentication vector-related key or a root key derived according to the authentication vector-related key, selects an NAS security algorithm, derives an NAS protection key according to the authentication vector-related key or the root key, and sends a message carrying the selected NAS security algorithm to the UE. The UE derives an NAS protection key according to an authentication vector-related key thereof. A system for negotiating a security capability when a terminal moves, a UE, and an MME are further provided.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method of security capabilities negotiation, comprising:
 sending, when a user equipment (UE) in an idle state moves from a non-long term evolution (non-LTE) network to a long term evolution (LTE) network, a tracking area update (TAU) request message from the UE to a mobility management entity (MME) of the LTE network, the TAU request message including security capabilities supported by the UE; 
 obtaining, by the MME, an authentication vector-related key from the non-LTE network; 
 selecting, by the MME, a non-access stratum (NAS) security algorithm to use in communications between the LTE network and the UE, according to the security capabilities supported by the UE; 
 deriving, by the MME, a NAS protection key to use in the communications between the LTE network and the UE, according to the authentication vector-related key by using a key derivation method; 
 sending, by the MME, the selected NAS security algorithm to the UE; and 
 deriving, by the UE, a NAS protection key to use in the communications between the LTE network and the UE, according to an authentication vector-related key thereof by using a same key derivation method as the MME. 
 
     
     
       2. The method according to  claim 1 , wherein the obtaining the authentication vector-related key step includes: obtaining, by the MME, the authentication vector-related key from a mobility management context response message sent from a service general packet radio service (GPRS) support node (SGSN) of the non-LTE network. 
     
     
       3. The method according to  claim 1 , wherein the non-LTE network is a second generation (2G) network, and the authentication vector-related key includes an encryption key (Kc). 
     
     
       4. The method according to  claim 1 , wherein the key derivation method for deriving comprises:
 deriving a root key according to the authentication vector-related key, and then 
 deriving the NAS protection key according to the derived root key. 
 
     
     
       5. A system for security capabilities negotiation, comprising:
 a user equipment (UE); and 
 a long term evolution (LTE) network including a mobility management entity (MME) communicatively connected with the UE, 
 wherein the UE is configured to send a tracking area update (TAU) request message to the MME when the UE moves in idle state from a non-LTE network to the LTE network, the TAU request message including security capabilities supported by the UE; and 
 wherein the MME is configured to: 
 obtain an authentication vector-related key from the non-LTE network; 
 select, according to the security capabilities supported by the UE, a non-access stratum (NAS) security algorithm to use in communications between the LTE network and the UE; 
 send the selected NAS security algorithm to the UE; and 
 derive, according to the obtained authentication vector-related key by using a key derivation method, a NAS protection key to use in the communications between the LTE network and the UE, 
 wherein the UE is further configured to derive, according to an authentication vector-related key by using the same key derivation method as the MME, a NAS protection key to use in the communications with the LTE. 
 
     
     
       6. The method according to  claim 1 , wherein the selected NAS security algorithm is sent in an integrity protection way with the NAS protection key derived by the MME to the UE. 
     
     
       7. The method according to  claim 1 , wherein the selected NAS security algorithm is sent to the UE through a NAS security mode command (SMC) message. 
     
     
       8. The method according to  claim 7 , wherein the NAS security mode command (SMC) message is integrity protected with the NAS protection key derived by the MME. 
     
     
       9. The method according to  claim 1 , the selected NAS security algorithm is sent to the UE through a TAU accept message. 
     
     
       10. The method according to  claim 1 , wherein the non-LTE network is a third Generation (3G) network and the authentication vector-related key includes an integrity key (IK) and an encryption key (KC). 
     
     
       11. The method according to  claim 1 , wherein the NAS security algorithm includes a NAS integrity protection algorithm and a NAS confidentiality protection algorithm, the NAS protection key includes a NAS integrity protection key and a NAS confidentiality protection key. 
     
     
       12. The system according to  claim 5 , wherein the MME is configured to obtain the authentication vector-related key from an SGSN of the non-LTE network, the authentication vector-related key being included in a mobility management context response message. 
     
     
       13. The system according to  claim 5 , wherein the non-LTE network is a second generation (2G) network and the authentication vector-related key includes an encryption key (Kc). 
     
     
       14. The system according to  claim 5 , wherein the non-LTE network is a third generation (3G) network and the authentication vector-related key includes an integrity key (IK) and an encryption key (CK). 
     
     
       15. The system according to  claim 5 , the key derivation method is configured to be as follows: deriving a root key from the authentication vector-related key and deriving the NAS key from the derived root key. 
     
     
       16. The system according to  claim 5 , the MME is configured to send to the UE the selected NAS security algorithm in an integrity protected way using the NAS protection key derived by the MME. 
     
     
       17. The system according to  claim 5 , wherein the MME is configured to send the selected NAS security algorithm by including the selected NAS security algorithm in a NAS security mode command (SMC) message. 
     
     
       18. The system according to  claim 17 , the MME is configured to send to the UE the NAS security mode command (SMC) message in an integrity protection way with the NAS protection key derived by the MME. 
     
     
       19. The system according to  claim 5 , wherein the MME is configured to send the selected NAS security algorithm to the UE through a TAU accept message. 
     
     
       20. The system according to  claim 5 , wherein the NAS security algorithm includes a NAS integrity protection algorithm and a NAS confidentiality protection algorithm, the NAS protection key includes a NAS integrity protection key and a NAS confidentiality protection key.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.